Red Hat Bugzilla – Bug 426218
CVE-2007-6285 autofs default doesn't set nodev in /net
Last modified: 2010-02-23 23:51:21 EST
It was reported to email@example.com that the autofs defaults do not set the
nodev NFS option.
bug 410031 notes the missing nosuid option by default for the /net autofs
filesystems, the fix for that issue did not take into account that there was
also a missing nodev option for these filesystems.
Without the nodev option, it is possible for an attacker to mount a remote
filesystem which could give them access to various devices that should normally
have restricted access, such as /dev/mem, and various hardware devices.
Red Hat would like to thank Tim Baum for reporting this issue.
Fixed now in affected version of Red Hat Enterprise Linux:
Updates now available also in stable Fedora repositories: